[Date Prev][Date Next]
Re: Using rewrite and map (slapo-rwm) to unify subordinate OpenLDAP with Active Directory
<quote who="Andrew Kay">
> (Apologies if anybody has already received this, I sent the message
> before subscribing to the list and later discovered that it may not be
> relayed if I wasn't a subscriber.)
> I am trying to configure OpenLDAP such that it acts as a subordinate
> to an Active Directory server to allow applications to seamlessly
> authenticate users against both directories via the OpenLDAP server
> (some users will be in OpenLDAP, some in AD). The directory suffixes
> are set up as follows, for example:
> Active Directory dc=xyz, dc=com
> OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate)
> I have successfully configured OpenLDAP such that a query with a base
> "dc=xyz, dc=com" will return results from both directories.
> I now want to add a rewrite rule to entries from the AD directory such
> that Microsoft object classes (user and group) are transformed into
> inetOrgPerson and groupOfNames respectively. Also, I'd like the
> SAMAccountName attribute to be mapped to an attribute named uid. I
> followed the example of using the rwm overlay here:
> I was then able to perform a query on the uid attribute against the AD
> directory, the entry was returned rewritten as an inetOrgPerson as I
> had expected.
> However, I am no longer able to perform a query on the uid attribute
> against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz,
> dc=com") as, AFAIK, the rewrite rule is removing it from the query,
> results or both.
Have you analysed your logs to see what's actually happening?
What does your current config look like?
> Is it possible to only apply such rewrite rules to entries within the
> AD directory, and leave entries stored in the OpenLDAP subordinate
> directory untouched, or is there a better way to approach this